MongoDB SCRAM-SHA-1 over SASL1st November 2015

I recently implemented SCRAM-SHA-1 over SASL for Fantom's MongoDB driver so it could authenticate against MongoDB v3 databases.

Much to my surprise, for such a massive breaking change to MongoDB drivers, there's next to nothing available that succinctly explains how it works. Not a sausage!

What I did find though, was a list of specifications and documentation that was as cryptic as the authentication mechanism itself!

By scrutinising every word in the documentation, and by reading the source code for a native Erlang driver, I was finally able to figure it out.

So now I present to you, what would have been extremely helpful to me, a fully worked authentication conversation with MongoDB for SCRAM-SHA-1 over SASL.

Overview

All the authentication documentation for MongoDB v3.x talks of SCRAM-SHA-1, or Salted Challenge Response Authentication Mechanism (SCRAM) with SHA-1. SCRAM defines how to encode an authentication message to send to the server. It uses the PBKDF2 algorithm from the Public-Key Cryptography Standards (PKCS).

SASL, or Simple Authentication and Security Layer, then defines a protocol of how to send / receive these authentication messages.

These SASL messages are then wrapped up in MongoDB BSON documents and sent as database commands in the usual MongoDB driver manner.

If you want the low down on all of the above, here are links to the relevant parts of the specifications:

Note that the MongoDB specification above was bloody hard to track down! It does have a sample client / server conversation, but it makes no attempt to explain how it calculated at the given values. For consistency, this example uses the same the parameters, but shows how they were calculated.